many changes suggested by policy group now incorporated,

ready for DRAFT, should take out some <B> sections.


git-svn-id: http://svn.cacert.org/CAcert/Policies@1237 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
Ian Grigg 2009-03-26 22:00:01 +00:00
parent 129a4ca022
commit 081c250ebe

View file

@ -10,8 +10,8 @@
<h1>Security Policy for CAcert Systems</h1> <h1>Security Policy for CAcert Systems</h1>
<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-wip.png" alt="CAcert Security Policy Status == wip" border="0"></a> <p><a href="PolicyOnPolicy.html"><img src="Images/cacert-wip.png" alt="CAcert Security Policy Status == wip" border="0"></a>
<br> <br>
Creation date: 2009-02-16<br> Creation date: 20090216<br>
Status: <i>work-in-progress</i> Status: <i>work-in-progress</i>, to DRAFT 20090327
</p> </p>
<h2><a name="1">1.</a> INTRODUCTION</h2> <h2><a name="1">1.</a> INTRODUCTION</h2>
@ -35,7 +35,7 @@ These systems include:
Board may add additional components into the Security Manual. Board may add additional components into the Security Manual.
</p> </p>
<h4><a name="1.1.1">1.1.1.</a> Effected Personnel </h4> <h4><a name="1.1.1">1.1.1.</a> Covered Personnel </h4>
<p> <p>
These roles are directly covered: These roles are directly covered:
@ -46,12 +46,12 @@ These roles are directly covered:
</li><li> </li><li>
Systems Administrators Systems Administrators
</li><li> </li><li>
Support Engineer Support Engineers
</li><li> </li><li>
Software Assessors Software Assessors
</li></ul> </li></ul>
<h4><a name="1.1.1">1.1.2.</a> Out of Scope </h4> <h4><a name="1.1.2">1.1.2.</a> Out of Scope </h4>
<p> <p>
Non-critical systems are not covered by this manual, Non-critical systems are not covered by this manual,
@ -189,7 +189,7 @@ access security.
<p> <p>
Computers shall be inventoried before being put into service. Computers shall be inventoried before being put into service.
Inventory list shall be available to all Inventory list shall be available to all
Access Engineeers and all Systems Administrators. Access Engineers and all Systems Administrators.
List must be subject to change control. List must be subject to change control.
</p> </p>
@ -254,7 +254,7 @@ The following steps are to be taken:
<ol><li> <ol><li>
The media is securely destroyed, <b>or</b> The media is securely destroyed, <b>or</b>
</li><li> </li><li>
the media is to be securely erased, the media is securely erased,
and stored securely. and stored securely.
</li></ol> </li></ol>
@ -360,7 +360,7 @@ and must be reported and logged.
<h5> 3.1.1.2. Internal connectivity </h5> <h5> 3.1.1.2. Internal connectivity </h5>
<p> <p>
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by system administration team leader and then must be reflected in the appropriate infrastructure diagram(s). System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by System administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
</p> </p>
@ -404,7 +404,7 @@ Servers must enable only the operating system functions required to support the
</p> </p>
<p> <p>
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators. Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the System Administrators.
</p> </p>
@ -429,7 +429,7 @@ instruct remedial action, and refer the case to dispute resolution.
</p> </p>
<p> <p>
<b> <b> <!-- this comment left in bold deliberatel -->
Declaration of an emergency patching situation should not occur with any regularity. Declaration of an emergency patching situation should not occur with any regularity.
</b> </b>
Emergency patch events must be documented Emergency patch events must be documented
@ -455,6 +455,12 @@ and installation needs to be deferred
until approved by the Software Assessment Team. until approved by the Software Assessment Team.
</p> </p>
<p>
Requests to systems administration for ad hoc queries
over the database for business or similar purposes
must be approved by the Arbitrator.
</p>
<h3><a name="3.4"> 3.4.</a> Access control </h3> <h3><a name="3.4"> 3.4.</a> Access control </h3>
<p> <p>
@ -494,13 +500,13 @@ authorisations on the below access control lists
<td>Board of CAcert (or designee)</td> <td>Board of CAcert (or designee)</td>
</tr><tr> </tr><tr>
<td>Physical Access List</td> <td>Physical Access List</td>
<td>systems administrators</td> <td>Systems Administrators</td>
<td>hardware-level for installation and recovery</td> <td>hardware-level for installation and recovery</td>
<td>exclusive with Access Engineers and Software Assessors</td> <td>exclusive with Access Engineers and Software Assessors</td>
<td>Board of CAcert (or designee)</td> <td>Board of CAcert (or designee)</td>
</tr><tr> </tr><tr>
<td>SSH Access List</td> <td>SSH Access List</td>
<td>systems administrators</td> <td>Systems Administrators</td>
<td>Unix / account / shell level</td> <td>Unix / account / shell level</td>
<td> includes by default all on Physical Access List </td> <td> includes by default all on Physical Access List </td>
<td>systems administration team leader</td> <td>systems administration team leader</td>
@ -512,7 +518,7 @@ authorisations on the below access control lists
<td>systems administration team leader</td> <td>systems administration team leader</td>
</tr><tr> </tr><tr>
<td>Repository Access List</td> <td>Repository Access List</td>
<td>software assessors</td> <td>Software Assessors</td>
<td>change the source code repository</td> <td>change the source code repository</td>
<td>exclusive with Access Engineers and systems administrators</td> <td>exclusive with Access Engineers and systems administrators</td>
<td>software assessment team leader</td> <td>software assessment team leader</td>
@ -520,7 +526,11 @@ authorisations on the below access control lists
<p> <p>
All changes to the above lists are approved by the board of CAcert. All changes
<B>
of personnel
</B>
to the above lists are approved by the Board of CAcert.
</p> </p>
<h4><a name="3.4.3"> 3.4.3.</a> Authentication </h4> <h4><a name="3.4.3"> 3.4.3.</a> Authentication </h4>
@ -566,7 +576,7 @@ to CAcert sysadmins in all cases.
<h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5> <h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5>
<p> <p>
Only system administrators designated on the Access Lists Only System Administrators designated on the Access Lists
in &sect;3.4.2 are authorized to access accounts, in &sect;3.4.2 are authorized to access accounts,
unless specifically directed by the Arbitrator. unless specifically directed by the Arbitrator.
</p> </p>
@ -590,7 +600,7 @@ Response times should be documented for Disaster Recovery planning. See &sect;6
<h4> <a name="4.1.3">4.1.3.</a> Change management procedures </h4> <h4> <a name="4.1.3">4.1.3.</a> Change management procedures </h4>
<p> <p>
All changes made to system configuration must be recorded All changes made to system configuration must be recorded
and reported in regular summaries to the board of CAcert. and reported in regular summaries to the Board of CAcert.
</p> </p>
<h4> <a name="4.1.4">4.1.4.</a> Outsourcing </h4> <h4> <a name="4.1.4">4.1.4.</a> Outsourcing </h4>
@ -600,7 +610,8 @@ and reported in regular summaries to the board of CAcert.
<h4> <a name="4.2.1">4.2.1.</a> Coverage </h4> <h4> <a name="4.2.1">4.2.1.</a> Coverage </h4>
<p> <p>
All sensitive events should be logged. All sensitive events should be logged
<B> reliably </B>.
Logs should be deleted after an appropriate amount of time Logs should be deleted after an appropriate amount of time
as documented in the Security Manual. as documented in the Security Manual.
</p> </p>
@ -668,7 +679,7 @@ Off-site backups must be dual-encrypted using divergent methods.
<h4> <a name="4.3.6">4.3.6.</a> Verifying Backups </h4> <h4> <a name="4.3.6">4.3.6.</a> Verifying Backups </h4>
<p> <p>
Two CAcert system administrators must be Two CAcert System Administrators must be
present for verification of a backup. present for verification of a backup.
Four eyes principle must be maintained when the key and backup are together. Four eyes principle must be maintained when the key and backup are together.
For any other purpose than verification of the success of the backup, see next. For any other purpose than verification of the success of the backup, see next.
@ -882,7 +893,7 @@ Test status of each patch must be logged.
<p> <p>
Software assessment team maintains a bug system. Software assessment team maintains a bug system.
Primary communications should go through this system. Primary communications should go through this system.
Management access should be granted to all software assessors, Management access should be granted to all Software Assessors,
software developers, and systems administrators. software developers, and systems administrators.
Bug submission access should be provided to Bug submission access should be provided to
any Member that requests it. any Member that requests it.
@ -896,7 +907,7 @@ coordinates with systems administration (team leader)
to offer the upgrade. to offer the upgrade.
Upgrade format is to be negotiated, Upgrade format is to be negotiated,
but systems administration naturally has the last word. but systems administration naturally has the last word.
Software assessors are not to have access Software Assessors are not to have access
to the critical systems, providing a dual control to the critical systems, providing a dual control
at the teams level. at the teams level.
</p> </p>
@ -907,7 +918,7 @@ application source code in the version control system
is necessary to deploy the application, is necessary to deploy the application,
detailed installation instructions should also be detailed installation instructions should also be
maintained in the version control system and offered to the maintained in the version control system and offered to the
system administrators. System Administrators.
</p> </p>
<p> <p>
@ -1005,9 +1016,9 @@ or Case Managers.
<ul> <ul>
<li> Access Engineer: responsible for controlling access to hardware, and maintaining hardware. </li> <li> Access Engineer: responsible for controlling access to hardware, and maintaining hardware. </li>
<li> System administrator: responsible for maintaining core services and integrity. </li> <li> System administrator: responsible for maintaining core services and integrity. </li>
<li> Software assessor: maintain the code base and confirm security ("sign-off") of patches and releases.</li> <li> Software Assessor: maintain the code base and confirm security ("sign-off") of patches and releases.</li>
<li> Support Engineer: human interface with users.</li> <li> Support Engineer: human interface with users.</li>
<li> Team leaders: coordinate with teams, report to board.</li> <li> Team leaders: coordinate with teams, report to Board.</li>
<li> All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.</li> <li> All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.</li>
<li> Board: authorise new individuals and accesses. Coordinate overall. </li> <li> Board: authorise new individuals and accesses. Coordinate overall. </li>
</ul> </ul>
@ -1071,10 +1082,10 @@ The background check should be done on all of:
</p> </p>
<ul> <ul>
<li> systems administrator </li> <li> Systems Administrator </li>
<li> access engineeers </li> <li> Access Engineers </li>
<li> software assessor </li> <li> Software Assessor </li>
<li> support engineer </li> <li> Support Engineer </li>
<li> Board </li> <li> Board </li>
</ul> </ul>
@ -1174,11 +1185,24 @@ especially of new team members.
<h4> <a name="9.2.1"> 9.2.1. </a> Root Key generation</h4> <h4> <a name="9.2.1"> 9.2.1. </a> Root Key generation</h4>
<B>
<p> <p>
Root keys should be generated on a machine built securely Root keys are generated only on instruction from the Board.
for that purpose only and cleaned/wiped/destroyed immediately afterwards. They must be generated to a fully documented and reviewed procedure.
The procedure must include:
</p> </p>
<ul>
<li> Use of hardware built securely for the purpose
only and cleaned/wiped/destroyed immediately afterwards. </li>
<li> Dual control over all phases, including by Board. </li>
<li> Strong collection of primary entropy, separated from use of entropy. </li>
<li> Test cycles of the process on the day. </li>
<li> Documentation of each step as it happens against the procedure. </li>
<li> Confirmation by each participant over the process and the results. </li>
</ul>
</B>
<h4> <a name="9.2.2"> 9.2.2. </a> Backup and escrow</h4> <h4> <a name="9.2.2"> 9.2.2. </a> Backup and escrow</h4>
<p> <p>
@ -1206,7 +1230,7 @@ Recovery must only be conducted under Arbitrator authority.
<h4> <a name="9.3.1"> 9.3.1. </a> Responsibility</h4> <h4> <a name="9.3.1"> 9.3.1. </a> Responsibility</h4>
<p> <p>
The board is responsible to the Community to manage The Board is responsible to the Community to manage
the CA at the executive level. the CA at the executive level.
</p> </p>
@ -1220,7 +1244,7 @@ All external inquiries of security import are filed as disputes and placed befor
Only the Arbitrator has the authority Only the Arbitrator has the authority
to deal with external requests and/or create a procedure. to deal with external requests and/or create a procedure.
Access Engineers, systems administrators, Access Engineers, systems administrators,
board members and other key roles Board members and other key roles
do not have the authority to answer legal inquiry. do not have the authority to answer legal inquiry.
The Arbitrator's ruling may instruct individuals, The Arbitrator's ruling may instruct individuals,
and becomes your authority to act. and becomes your authority to act.
@ -1231,8 +1255,8 @@ and becomes your authority to act.
<p> <p>
Components may be outsourced. Components may be outsourced.
Team leaders may outsource non-critical components Team leaders may outsource non-critical components
on notifying the board. on notifying the Board.
Critical components must be approved by the board. Critical components must be approved by the Board.
<p> <p>
<p> <p>
@ -1277,15 +1301,20 @@ of open disclosure wherever possible.
See <a href="https://svn.cacert.org/CAcert/principles.html"> See <a href="https://svn.cacert.org/CAcert/principles.html">
Principles</a>. Principles</a>.
This is not a statement of politics but a statement of security; This is not a statement of politics but a statement of security;
if a subject can only sustain under some <B>
confidentiality or secrecy, then find another way. if a security issue can only be sustained
</B>
under some confidentiality or secrecy, then find another way.
</p> </p>
<p> <p>
In concrete terms, In concrete terms,
only under a defined exception under policy, <B>
or under the oversight of the Arbitrator, confidentiality or secrecy may be maintained only
may confidentiality or secrecy be maintained. under a defined method in policy,
or under the oversight of the Arbitrator
(which itself is under DRP).
</B>
The exception itself must not be secret or confidential. The exception itself must not be secret or confidential.
All secrets and confidentials are reviewable under Arbitration, All secrets and confidentials are reviewable under Arbitration,
and may be reversed. and may be reversed.